Dissecting LinkedIn's Response to the Password Breach

It's Friday afternoon , and we here at Security Watch heard from several readers who discovered through the LastPass tool that their passwords had been included in that original dump file, but have not received any password reset notices from the social networking site. This is a little worrying, considering that many users may be thinking, "Oh, I didn't get a note, so I must be okay," when in reality, they are exposed and don't know it.

Yesterday, Security Watch posted a link to a password lookup tool provided by online password manager company LastPass that users can use to find out if their passwords were one of the 6.5 million compromised.

It's Friday afternoon , and we here at Security Watch heard from several readers who discovered through the LastPass tool that their passwords had been included in that original dump file, but have not received any password reset notices from the social networking site. This is a little worrying, considering that many users may be thinking, "Oh, I didn't get a note, so I must be okay," when in reality, they are exposed and don't know it.

I reached out to LinkedIn to find out what is going on.

"We are contacting all members we believe could potentially be affected, starting with those who we believe are at the greatest risk. We have already initiated the outreach," a LinkedIn spokesperson said in an email. She was unable to provide any other details.

Who Is at Greatest Risk?I was very concerned about LinkedIn's focus on members at "greatest risk." How do they define this? It sounds from the statement that LinkedIn is somehow classifying members who had weak passwords and may have been among the group whose passwords were cracked easily, and notifying them first. Members with fairly complex passwords may not be getting notified, yet, because their passwords were strong and less likely to get cracked.

In fact, in a follow-up post on June 7, Silveira wrote, "Our first priority was to lock down and protect the accounts associated with the decoded passwords that we believed were at greatest risk."

Does LinkedIn have a list of hashes that have been cracked? The Russian hacker forum where the dump file was originally posted (it's now offline and inaccessible), had posts from other members who had helped crack portions of the list. Is LinkedIn relying on that list to identify "decoded passwords?"

The problem is, quite a number of people on both sides of the security fence—black and white hat alike—have been running the dump file against various password cracker tools to see how many can be cracked. Reports vary on how successful these efforts are, but Francois Pesce, a researcher at Qualys, used an open source tool called John the Ripper managed to crack 900,000 passwords in four hours. At last count, Pesce has managed to identify a total of 2,000,000 passwords, many of which were pretty obscure strings.

What LinkedIn Actually PromisedIn both the confirmation post and the follow-up, Silveira said all affected accounts were being locked and prompted to reset the passwords. "Those members are also being contacted by LinkedIn with instructions on how to reset their passwords," Silveira said June 7.

While that may sound like LinkedIn is proactively reaching out to all affected members, perhaps that's not what Silveira meant at all. In the June 6 post, he wrote, "Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid. These members will also receive an email from LinkedIn with instructions on how to reset their passwords," Silveira wrote Wednesday.

So if you haven't logged into your account since the breach first was reported, I suggest you do so, immediately, so that you can receive that notification mail. And pick a strong password.

I had a friend log in to her LinkedIn account, and we saw a message that her account had been locked, and that reset instructions would be sent to the associated email address. After we verified her email address on the page, we saw the following message, "We have sent a link to reset your password to [email redacted]. If you are having problems receiving this link, please contact Customer Service."

Wait. Didn't Silveira originally say there would be no links in the email? In actuality, he said there would be two messages, with the first one being an intermediary verification process before sending the reset link.

"There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link."

We checked. We received only one email, and that was the one with the password reset link. I have no idea what the first message was supposed to be or where it went.

What to Do After An IncidentI don't want to jump all over LinkedIn, because it's a sad fact that it's not alone in falling down on security. Plenty of other companies have made the same mistakes and didn't protect user credentials and data. (Remember Sony?) But LinkedIn could have handled its post-breach response a little bit better.

After several news outlets reported a person on a Russian hacker forum had claimed to have a file of LinkedIn passwords, the company was silent for several hours beyond the "we are investigating" message on Twitter. Despite several security researchers and other users confirming they'd found their LinkedIn passwords in the file, the company remained silent for most of the day. While the company finally confirmed the breach on the blog and Twitter, there was practically no information available about what had happened, whether the breach was contained, or what the risks were.

I still think affected users should have been contacted and notified directly, instead of relying on this "greatest risk" metric. Transparency and promptness matters in regaining user trust.

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.